MAY 2022

NEWSLETTER

The Adunola, Plot L2, 401 Close, Banana Island, Ikoyi, Lagos, Nigeria www.olaniwunajayi.net +234-1-2702551

CBN RELEASES THE DRAFT OPERATIONAL

GUIDELINES FOR OPEN BANKING IN NIGERIA

BACKGROUND
In February 2021, the Central Bank of Nigeria (CBN), in a Guidelines). The Operational Guidelines set out detailed
bid to enhance competition and innovation in the provisions on the roles, responsibilities and minimum
banking system, released the Regulatory Framework for requirements of participants in the open banking system,
Open Banking in Nigeria (the Open Banking Framework) among other things.
which establishes principles for data sharing across the
banking and payments system. In this Newsletter, we examine the key provisions of the
Operational Guidelines, including but not limited to
In line with the Open Banking Framework, the CBN provisions on the scope, categories of data, tiers and
released the exposure draft of the Operational responsibilities of participants, and shared information
Guidelines for Open Banking in Nigeria (the Operational framework.

1

HIGHLIGHTS OF THE OPERATIONAL GUIDELINES
Scope and Participants
Open banking involves the use of technology to facilitate
the sharing of consumer information between financial
services providers through the use of an Application
Programming Interface (API)1.
The Operational Guidelines are applicable to banking and
other related financial services,2 specifically: (x) payment
and remittance services; (y) collection and disbursement
services; (z) personal finance advisory and management;
(xx) credit rating/scoring; (xy) deposit-taking; (xz) credit;
(yx) treasury management; (yy) mortgage; (yz) leasing/hire
purchase; and (zx) other services as may be determined by
the CBN.
Accordingly, any organisation with customer data that may
be exchanged with other entities for the provision of
innovative financial services within Nigeria is eligible to
participate in the open banking ecosystem.3 Prospective
participants may assume more than one role depending on
their services and offerings and they are expected to
register with the CBN.4
The Operational Guidelines categorise participants based
on the roles they may perform, as follows:5
1. API Provider: this is a participant that uses API to avail
data or service to another participant. Specifically, an
API Provider can be a licensed financial
institution/service provider, a Fast-Moving Consumer
Goods (FMCG) company or other retailers, Payroll
Service Bureau, etc.
2. API Consumer: on the flip side, this refers to a
participant that uses API released by API Providers to
access data or service. An API Consumer may fall
within the classes of entities listed in paragraph 7.1.
3. Customer: this is the data owner and end-user who is
required to provide consent for the release of their
data for the purpose of accessing financial services
1. An API is a is a software intermediary serving as a connection between computers or between computer programs
2. Paragraph 4.0 of the Operational Guidelines
3. Paragraph 4.1 of the Operational Guidelines
4. Paragraph 6.1 of the Operational Guidelines
5. Supra.
6. Paragraph 6.0 of the Operational Guidelines
7. Paragraph 5.0 of the Open Banking Framework
8. Paragraph 4.1 of the Open Banking Framework
MAY 2022 | NEWSLETTER
Open Banking Registry
Pursuant to the Operational Guidelines, the CBN is
required to provide and maintain an Open Banking
Registry (OBR) to: (x) provide regulatory oversight on
participants; (y) enhance transparency in the operations of
Open Banking; and (z) ensure that only registered
institutions operate within the open banking ecosystem.6
The OBR will serve as a public repository for details of
registered participants, who shall be identified by their
respective business registration numbers issued by the
Corporate Affairs Commission (CAC). An API will be
maintained by the OBR to serve as the primary means by
which Tier 3 participants (described below) can manage
the registration of their API Consumers.
Categories of Data and Tiers of Participants
The criteria for onboarding participants into the OBR shall
be based on the provisions of the Open Banking
Framework in relation to accessing data and API.7
The Open Banking Framework provides for four (4) tiers of
participants and the categories of data that can be
exchanged by participants. The data categories include: 8
1. Product Information and Service Touchpoints (PIST):
information on products provided by the participants
to their customers e.g., ATM/POS/Agent locations,
channels (website/app) addresses, institution
identifiers, service codes, fees, charges, quotes,
rates, etc.;
2. Market Insight Transactions (MIT): statistical data
not associated with any customer or account, which
is aggregated based on established factors;
3. Personal Information and Financial Transaction
(PIFT): data in relation to an individual customer
which can either be general information on the
customer or data on the customer’s transactions,
e.g., KYC data, total number or types of accounts
held, balances, bill payments, loans, repayments,
recurring transactions on customer’s account i.e.,
subscription and other transaction records; and
4. Profile, Analytics and Scoring Transaction (PAST):
information on a customer which analyses, scores or
gives an opinion on a customer e.g., credit score or
income ratings.
.
2

The tiers of participants, as well as the data categories
that they may access, are as follows:9
1. Tier 0 (Participant without a regulatory license):
these participants can access PIST and MIT data
provided that they are sponsored by a Tier 2 or Tier
3 participant;10
2. Tier 1 (Participants through CBN Regulatory
Sandbox): participants under this tier have access
to the data sharing framework by virtue of their
admission into the CBN Regulatory Sandbox and
can access PIST, MIT and PIFT data;
3. Tier 2 (Licensed Payment Service providers and
other financial institutions): these participants may
access all categories of data –PIST, MIT, PIFT and
PAST; and
4. Tier 3 (Deposit Money Banks): participants in these
tiers may also access all categories of data.
Responsibility of Participants
API Providers
Paragraph 8.1 prescribes certain minimum configuration
management (CM) requirements for API Providers,
including (x) maintaining a CM policy; (y) ensuring
automated CM processes; (z) conducting, at least, a
quarterly audit of the CM system, while maintaining a log
of all changes within the CM system; and (xx)
maintaining a configuration database.
They are also required to execute a Service Level
Agreement (SLA) with API Consumers to govern their
relationships, providing for accounting and settlement,
fee structure, reconciliation of bills, registration and
sponsorship responsibilities, among others.11
9. Paragraph 5.1 of the Open Banking Framework
10. The onboarding requirements for Tier 0 participants shall be determined by respective sponsoring Tier 2 or Tier 3 participants.
11. Paragraph 8.1.2 of the Operational Guidelines
12. Paragraph 8.5 of the Operational Guidelines
13. Paragraph 9.2 and Appendix III, Paragraph 5.2 of the Operational Guidelines
14. Paragraph 9.3 of the Operational Guidelines
MAY 2022 | NEWSLETTER
API Providers shall also maintain a problem register,
which would include incidents known to be recurring or
those that are not resolved within the window provided in
the SLA.12
API Consumer
Every API Consumer is required to maintain a Data
Governance Policy approved by a committee of its Board
of Directors or at least, an executive management
committee of the API Consumer. This policy is to be put
in place to ensure that all aspects of Customer data are
well managed by the API Consumer and that it fulfils
legal and regulatory requirements.
API Consumers must also have a Data Ethics Framework,
which shall provide principles for the acquisition,
collection, collation, analysis, use, and sharing of
personal data. The framework should also provide for
procedures to guide documentation, verification and
decision making to ensure its data processing activities
comply with extant laws and regulations.
Additional Requirements
In addition to the foregoing, API Providers and API
Consumers must comply with the Nigerian Data
Protection Regulation (NDPR) or any CBN issued data
protection regulation for financial institutions.13 They are
also required to implement information security controls
in line with the Security Standards set out in the
Operational Guidelines.14
3
 MAY 2022 | NEWSLETTER

Shared Information Framework Upon receiving the Customer consent to provide

An API Provider is only permitted to share information of
a Customer with an API Consumer upon presentation of
a valid proof of consent by the Customer, and such
consent shall be authenticated to confirm it emanates
from its Customer. The foregoing is required to be done
directly by the API Provider using the prescribed
authentication mechanism within the API Security and
Risk Management Standards.15
For consent obtained from a customer to be valid,
certain information shall be presented to the Customer
by the API Consumer, such as: (x) its full and legal name;
(y) its accreditation/registration number or other valid
means of identification in the OBR; (z) its CAC-issued
business registration number; (xx) compliance with
access level to data by service category; (xy) nature of
the request; and (xz) information about redundant data,
among others.16
The approval of the CBN is required where Customer
data will be disclosed to an outsourced service provider
– including non-Nigerian participants. Further to this, the
following additional information shall be required:
1. a statement indicating that the data would be used
or disclosed in such manner;
2. sufficient information
handling/privacy policy of the service provider; and
3. a guarantee that the customer can obtain further
information about such disclosures from the policy
or on request to the participant.17
Customer data to an API Consumer, the API Provider is
required to, among other things, require a 2-Factor
Authentication (2FA) of the end-user to verify that the
consent emanated from the Customer.
CONCLUSION
Open banking presents numerous opportunities
including availing the finest and most innovative
financial services to Customers and easing banking
transactions. However, there are the associated risks
with open banking, such as Customer data breaches or
the misuse of Customer data. One of the objectives of
the Operational Guidelines is to ensure consistency and
security across the open banking system. Thus, if
properly implemented, the Operational Guidelines will be
very useful to combat the risk of data violations and
avoid data and financial losses on the part of the
Customers.
about the data

15. Paragraph 11.1 of the Operational Guidelines

16. Ibid.
17. Paragraph 11.1.1 of the Operational Guidelines

FOR MORE INFORMATION, PLEASE CONTACT :

Damilola Salawu Kofoworola Toriola Tayo Fabusiwa
Partner Associate Associate

+234-1-2702551 Ext 2712 +234-1-2702551 +234-1-2702551

Dsalawu@olaniwunajayi.net Ktoriola@olaniwunajayi.net Tfabusiwa@olaniwunajayi.net

With over 60 years' experience in helping organizations and individuals achieve their goals, Olaniwun Ajayi LP has a track record of involvement in some of the largest and most complex transactions in
dynamic sectors of the Nigerian economy. Our unparalleled capacity to handle intricate legal issues is the bedrock of our practice, and our clients depend on us to help translate their opportunity into reality.